Enter the evercookie

Security researcher Samy Kamkar has created what he calls "evercookies" and others are calling "frankencookies." I could add, "zombiecookies." Like Frankensteins monster, they are created from 10 different types of data storing objects. Like zombies, unless you completely eradicate all of it's components, the evercookie will return. 

On Samy's evercookie page he gives some details, along with a demonstration and two different links to download the source code. Among the details he gives are the types of storage objects used to retain and resurrect the data:

Specifically, when creating a new cookie, it uses the
following storage mechanisms when available:

• Standard HTTP Cookies
  
• Local Shared Objects (Flash Cookies)
  
• Storing cookies in RGB values of auto-generated, force-cached
  PNGs using HTML5 Canvas tag to read pixels (cookies) back out
  
• Storing cookies in and reading out Web History
  
• Storing cookies in HTTP ETags
  
• Internet Explorer userData storage
  
• HTML5 Session Storage
  
• HTML5 Local Storage
  
• HTML5 Global Storage
  
• HTML5 Database Storage via SQLite

Samy provides a demonstration that produces supposedly non-traceable evercookies, cookies with just enough information to prove the cookies have been created. He notes that private browsing in Safari defeats evercookies. I tested Firefox and it also killed evercookies in private browsing mode. Both only kill evercookies if you are already in private browsing mode when you the cookies are placed. Safari's reset option will not kill an evercookie.

Evercookies are a heinous development - from a privacy point of view. To merchants and ad services they are a gift from the Internet gods. Before we have a good answer to Flash cookies, evercookies appear, making Flash cookies look positively ephemeral. Because they are comprised of several different files of several different types in multiple locations they are hard to find, and if any piece of an evercookie is left behind the entire cookie can be recreated. If it wasn't already bad enough, Samy is seeking more ways to make evercookies hard to find and kill.

Privacy is in large part control of information. The more control you have over your information, the more privacy you have. The more others control your information, the less privacy you have. Things like Flash cookies and evercookies remove control of your information from you and give it to others and are designed to make it hard for you to get rid of them. That is enough reason for me to dislike them.

Don't eat Eric Schmidt's ice cream

Google was called to task recently by insidegoogle.com for privacy statements of CEO Eric Schmidt. It took the form of a 15 second video played on the jumbotron in Times square. You can see it here. But that wasn't enough, they put up a longer version with a voice track on their website and on Youtube here.

The shorter video has the creepier appearance, relying on "Schmidt's" facial expression to convey the wickedness of Google's data gathering, but the longer version gives examples of what Google might know about you. Unfortunately, they chose two examples that fall right in line with the paraphrased Eric Schmidt quote they use, "If there's anything you don't want anyone to know, you shouldn't be doing it in the first place." There are plenty of things that you might not want people to know, but that are completely legitimate. I guess they don't have enough of a 'creepy factor' for an ad like this, though. Google's response to the videos was very sedate, or at least I didn't see loud objections or denials. They made changes to clarify their privacy policy and even, after initial refusal, allowed insidegoogle.com to purchase advertising on Google for the purpose of criticizing Google.

Google, possibly more than any other company - even Facebook - knows us better than we know ourselves. They talk about stored data being anonymized, but for it to be useful in the ways Google uses it there has to be a way to connect it to us. That's how personalized searches, search term suggestions and the other little perks we take for granted now that didn't exist just a few years ago work. If Google can connect it to us, it's possible that someone else might obtain it and make the same connection.

So is Eric Schmidt one of several 'dark lords' of internet data gathering? Or is he a messiah, using the personal data we gift him with to improve our internet experience and grant us greater and more personal online lives? Or is he a well meaning businessman who really doesn't understand the implications of what he is doing? I doubt that any of those are completely true. But it is true that Google's business could not exist as it does if it didn't have access to as much information as it can gather from us. So I imagine that there is a little of the sinner and the saint in Mr. Schmidt's motives, and perhaps a little of the naive visionary as well. But regardless of his motivations, it's our job to make sure that Google and companies like it only gather information we want gathered. To do that we have to know what information they are gathering, why, and what is being done with it, and they should be willing to tell us.